結論與未來研究方向

( )

, 1 ^{xi k} (mod ) yi k₊ =g ⁺ n

)

1 1 1

( _i,1) ^{c d} (mod

x= x ^{φ φ φ⋅⋅⋅ −⋅ +⋅⋅⋅φτ} n ，這樣一來，雖然每時段還是得更新各群

體中 ElGamal 加密的金鑰對，但解章者就不必每時段與群體管理 者連線，只要作與管理者類似的更新，即可確保其時效性。

第二節 結論與未來研究方向

我們以[15]中擁有撤銷機制的前進式群體簽章為基礎，結合階層性的觀 念，使得各群體有高低與主從之分，身處於比較高階級的管理者，除了可解 開該群體的簽章外，還可解開該群體所轄之下方群體的簽章。這樣的方式是 利用[1]中一個安全的階層性金鑰推導法來設定群體簽章中用 ElGamal 加密 法來加密成員憑證時，ElGamal 的解密金鑰。因此可以達成上述的功能。另 外對於原本[15]中的架構，因為使用了憑證廢止列表的方法，隨著廢止憑證 數增加，各時間廢止列表之資料量也將增加，且越後面的時段，廢止列表的 資料量將越多，因此我們更改了成員參與的部分，將其改變為可在成員加入 時即設定其合法時限的作法，可在適用的時候使用，幫助減輕憑證廢止列表 的資料量負擔。

未來的研究方向可以有幾個部分：(1)在本篇架構的基礎上，設法將簽章 的部分導入層級性的觀念。例如身處較高階層的群體成員，可代替下方的群 體簽章，但必須考慮效率。例如至少希望保持群體的公開金鑰和簽章長度皆 與群體成員個數無關。(2)在本文這種類似多群體 (mtltigroups) 的架構下，一

個成員若同時屬於多個群體，因為並未考慮其推導方法，所以必須同時持有 多組簽章金鑰，這是一個應該避免的結果，至少希望所持有的簽章金鑰不應 該與所加入的群體個數呈線性 (linear) 成長關係。(3)在改進的架構中，解章 者是否能更有效率的指定其合法時限，成為一個可方便指定代理期間的功 能。這些雖然不是本文所要探討的重點，但都可以作為日後改善的方向。

參考文獻

[1] S. G. Akl and P. D. Taylor, “Cryptographic solution to a problem of access control in a hierarchy,” In ACM Transactions on Computer Systems, vol. 1, no.3, pp. 239-248 , 1983.

[2] G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik, “A practical and provably secure coalition-resistant group signature scheme,” In Proceedings of Advances in Cryptology - Crypto 2000, LNCS 1880, pp. 255-270, Springer-Verlag, 2000.

[3] G. Ateniese and G. Tsudik, “Some open issues and new directions in group signature,” In Proceedings of Financial Cryptography 1999, LNCS 1648, pp.

196-211, Springer-Verlag, 1999.

[4] N. Baric and B. Pfitzman, “Collision-free accumulators and fail-stop signature schemes without trees,” In Proceedings of Advances in Cryptology - Eurocrypt 1997, LNCS 1233, pp. 480-494, Springer-Verlag, 1997.

[5] M. Bellare and S. K. Miner, “A forward-secure digital signature scheme,” In Proceedings of Advances in Cryptology - Crypto 1999, LNCS 1666, pp. 431-448, Springer-Verlag, 1999.

[6] J. Camenisch, “Efficient and generalized group signatures,” In Proceedings of Advances in Cryptology - Eurocrypt 1997, LNCS 1233, pp. 465-479, Springer-Verlag, 1997.

[7] J. Camenisch and M. Michels, “A group signature scheme based on an RSA-variant,” Technical Report RS-98-27, BRICS, Departement of Computer Science, University of Aarhus, 1998. Preliminary version：[8]

[8] J. Camenisch and M. Michels, “A group signature scheme with improved efficiency,” In Proceedings of Advances in Cryptology – Asiacrypt 1998, LNCS 1514, pp. 160-174, Springer-Verlag, 1998.

[9] J. Camenisch and M. Michels, “An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation,” In Proceedings of Advances in Cryptology - Eurocrypt 2001, LNCS 2045, pp. 93-118, Springer-Verlag, 2001.

[10] J. Camenisch and M. Stadler, “Efficient group signature schemes for large groups,” In Proceedings of Advances in Cryptology - Crypto 1997, LNCS 1296, pp. 410-424, Springer-Verlag, 1997.

[11] S. Canard and J. Traoré, “On Fair E-cash Systems Based on Group Signature Schemes,” In Proceedings of Information Security and Privacy (ACISP’03), LNCS 2727, pp.237-248, Springer-Verlag, 2003.

[12] D. Chaum and E. van Heyst, “Group signatures,” In Proceedings of Advances in Cryptology - Eurocrypt 1991, LNCS 547, pp. 257-265, Springer-Verlag, 1991.

[13] L. Chen and T. Pedersen, “New group signature schemes,” In Proceedings of Advances in Cryptology - Eurocrypt 1994, LNCS 950, pp. 171-181, Springer-Verlag, 1995.

[14] E. Fujisaki and T. Okamoto, “Statistical zero-knowledge protocols to prove modular polynomial relations,” In Proceedings of Advances Cryptology - Crypto 1997, LNCS 1294, pp. 16-30, Springer-Verlag, 1997.

[15] C. H. Huang and W. G. Tzeng, “A Forward Group Signature Scheme with

Revocation Mechanism,” National Chiao-Tung University, Master Thesis, 2002.

[16] G. Itkis and L. Reyzin, “Forward-secure signatures with optimal signing and verifying,” In Proceedings of Advances in Cryptology - Crypto 2001, LNCS 2139, pp. 332-354, Springer-Verlag, 2001.

[17] H. J. Kim, J. I. Lim and D. H. Lee, “Efficient and secure member deletion in group signature schemes,” In Proceedings of the Third International Conference on Information Security and Cryptology, LNCS 2015, pp. 150-161, Springer-Verlag, 2001.

[18] S. Kim, S. Park and D. Won, “Group signatures for Hierarchical Multigroups,” In Proceedings of the Information Security Workshop (ISW’97), LNCS 1396, pp. 273-281, Springer-Verlag, 1998.

[19] A. Lysyanskaya and Z. Ramzan, “Group blind digital signatures: A scalable solution to electronic cash,” In Proceedings of Financial Cryptography 1998, LNCS 1465, pp. 184-197, Springer-Verlag, 1998.

[20] G. Maitland and C. Boyd, “Fair Electronic Cash Based on a Group Signature Scheme,” In Proceedings of Information and Communications Security (ICICS’01), LNCS 2229, pp.461-465, Springer-Verlag, 2001.

[21] H. Petersen, “How to convert any digital signature scheme into a group signature scheme,” In Proceedings of the 5th International Workshop on Security Protocols, LNCS 1361, pp.177-190, Springer-Verlag, 1998.

[22] K. Sakurai and S. Miyazaki, “An anonymous electronic bidding protocol based on a new convertible group signature scheme,” In Proceedings of

Information Security and Privacy (ACISP’00), LNCS 1841, pp.385-399, Springer-Verlag, 2000.

[23] D. Song, “Practical forward-secure group signature schemes,” In Proceedings of the Eighth ACM Symposium on Computer and Communication Security (CCS2001), pp.225-234, 2001.

[24] G. Wang, “On the Security of a Group Signature Scheme with Forward Security,” In Cryptology ePrint Archive, http://eprint.iacr.org/2003/226/

[25] M. Zhang, “New Approaches to Password Authenticated Key Exchange based on RSA,” In Cryptology ePrint Archive, http://eprint.iacr.org/2004/033/

[26] J. Zhang, Q. Wu and Y. Wang “A novel efficient group signature scheme with forward security,” In Proceedings of Information and Communications Security (ICICS’03), LNCS 2836, pp.292-300, Springer-Verlag, 2003.